Hello,

I have installed MySQL and phpmyadmin to my Windows 2003 Standart server yesterday. I've entered a root password and had successfull created some databases. Also I have installed Php 4 on the server.

Today I had a big problem on my server, because all the files starts with 'user' were deleted (users.dat, users.mdb, user.frm etc) Mailserver didn't work anymore because there was a missing file named users.dat etc.

After that I tried but I wasnt be able to create any files wherever starts with 'user'. I tried on command prompt, but cmd.exe was changed as Windows 2000 polish version. If typed 'ver' on command line, get Windows 2000 Server etc.. with some polish words.


Microsoft Windows 2000 [Wersja 5.02.3790]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Dokumente und Einstellungen\Administrator>
//
C:\Dokumente und Einstellungen\Administrator>dir
Wolumin w stacji C: Mom
Numer seryjny woluminu: 78BA-92E9

Katalog: C:\Dokumente und Einstellungen\Administrator

I thought the server was hacked. Symantec Antivirus Corporate was up to date but I think it was caused the new mysql installation and I did something wrong.

Now I have scanned the server with Symantec again but nothing found. I still can't be able to create files/folders starts with 'user' and reinstalling mysql doesnt work too.

there's also a file .bat file in c:/windows
nvsvc.exe /install /silence
net start R_Server
etc..

Do you have any idea about the issue? or did hear something like that?

Your system is infected by the famous W32/Agobot-EL worm. You will need to go into your registry and edit the following:
Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = nvsvc.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = nvsvc.exe

and delete them if they exist.

Then, go to the Hosts file usually located at WINDOWS>\System32\Drivers\etc\HOSTS
There will probably be a number of entries which are mostly anti-virus addresses so that your browser won't access them.

You can try this first. It is the least invasive. But, to be honest it looks like you have actually been hacked and your computer is owned by someone else. The only sure way to get it back is to reformat and clean install your operating system.

hi sampson,
thank you for your reply. I was looking for the worms whole day. you are right, the server is infected with worm.
if I check netstat on cmd, I can see some ports open and listening by com.pl addresses.
but i dont understand how to get infected. it's possible because of the mysql installation, at the beginning I was entered 123456 as password, but that was for short time.
so i will let reinstall the system and look now for more security except symantec corporate.

do you have any suggestions to use good firewall for windows standart server 2003?

Sygate makes a good firewall; the one that most people like is ZoneAlarm. eTrust EZ Armor makes a good firewall also

Sygate makes a good firewall for Windows. I use Tiny Personal Firewall now because Sygate wouldn't work quite right with connected VPN clients. Tiny is much harder to configure though.